---
title: "Iranian APTs Hack US Critical Infrastructure via PLC Exploits"
short_title: "Iranian APTs target US critical infrastructure PLCs"
description: "Iran-affiliated cyber actors exploit Rockwell Automation PLCs in US critical infrastructure, causing disruptions. Learn how to detect, mitigate, and secure OT devices now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [iranian-apt, plc-exploits, critical-infrastructure, ot-security, rockwell-automation]
score: 0.92
cve_ids: [CVE-2021-22681]
---
TL;DR
Iranian-affiliated advanced persistent threat (APT) actors are exploiting internet-facing programmable logic controllers (PLCs), including those manufactured by Rockwell Automation, to disrupt U.S. critical infrastructure sectors like energy, water, and government facilities. Organizations are urged to review indicators of compromise (IOCs), secure OT devices, and apply mitigations immediately to prevent operational disruptions and financial losses.
---
Main Content
Iranian APTs Exploit PLCs to Disrupt U.S. Critical Infrastructure
U.S. critical infrastructure is under siege as Iranian-affiliated cyber actors target operational technology (OT) devices, specifically programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This malicious activity, attributed to an APT group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has led to operational disruptions, data manipulation, and financial losses across multiple sectors, including energy, water and wastewater systems (WWS), and government facilities.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) have issued a joint advisory urging organizations to review tactics, techniques, and procedures (TTPs), query logs for IOCs, and implement recommended mitigations to reduce the risk of compromise.
---
Key Points
- Targeted Sectors: Energy, water and wastewater systems (WWS), and government facilities are primary targets.
- Affected Devices: Rockwell Automation/Allen-Bradley PLCs (e.g., CompactLogix and Micro850) and potentially other branded OT devices.
- Attack Vector: Threat actors exploit internet-facing PLCs using overseas-based IP addresses and configuration software like Rockwell Automation’s Studio 5000 Logix Designer.
- Impact: Malicious interactions with project files and manipulation of data on human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems, leading to operational disruptions.
- Mitigation Urgency: Organizations must disconnect PLCs from the internet, enable physical mode switches, and implement multifactor authentication (MFA) to secure OT networks.
---
Technical Details
#### Initial Access
Iranian APT actors gain access to internet-facing Rockwell Automation PLCs using overseas-based IP addresses. They leverage Rockwell Automation’s Studio 5000 Logix Designer software to establish connections with victim devices, targeting CompactLogix and Micro850 PLCs specifically.
#### Command and Control
Malicious traffic is directed to devices via commonly used OT ports, including:
- `44818` (Rockwell Automation)
- `2222` (Siemens S7)
- `102` (Siemens S7)
- `22` (SSH)
- `502` (Modbus)
The actors deploy Dropbear Secure Shell (SSH) software on victim endpoints to enable remote access through port `22`.
#### Impact
The threat actors extract device project files and manipulate data displayed on HMIs and SCADA systems, resulting in operational disruptions and financial losses. This activity aligns with MITRE ATT&CK techniques T0883 (Internet Accessible Device), T0885 (Commonly Used Port), T1219 (Remote Access Tools), and T1565 (Stored Data Manipulation).
---
Impact Assessment
The exploitation of PLCs in critical infrastructure poses severe risks, including:
- Operational Disruptions: Malicious interactions with project files can halt industrial processes, leading to downtime and financial losses.
- Data Manipulation: Altering data on HMIs and SCADA displays can mislead operators, potentially causing unsafe conditions or further system compromise.
- Geopolitical Tensions: The escalation of Iranian cyber activity is likely tied to ongoing hostilities between Iran, the U.S., and Israel, increasing the risk of retaliatory cyberattacks.
---
Mitigation Steps
#### Immediate Actions
1. Disconnect PLCs from the Internet: Use secure gateways or firewalls to mediate remote access and remove direct internet exposure.
2. Enable Physical Mode Switches: For Rockwell Automation devices, set the physical mode switch to run position to prevent remote modifications.
3. Create and Test Backups: Secure offline backups of PLC logic and configurations to enable rapid recovery.
4. Query Logs for IOCs: Review logs for suspicious traffic originating from the IP addresses listed in the advisory (see Table 1 below).
#### Long-Term Security Measures
1. Implement Multifactor Authentication (MFA): Require MFA for remote access to OT networks.
2. Use Network Proxies and VPNs: Deploy firewalls, VPNs, or gateways to control and monitor access to PLCs.
3. Disable Unused Services: Turn off unnecessary protocols like Telnet, FTP, RDP, and VNC.
4. Monitor Network Traffic: Detect unusual logins or protocol usage that may indicate compromise.
5. Apply Patches: Keep PLC devices updated with the latest manufacturer patches, prioritizing known exploited vulnerabilities (KEVs).
---
#### Indicators of Compromise (IOCs)
The following IP addresses have been associated with Iranian APT activity:
| Indicator | Beginning of Actor Association | End of Actor Association |
|---------------------|------------------------------------|------------------------------|
| 135.136.1[.]133 | March 2026 | March 2026 |
| 185.82.73[.]162 | January 2025 | March 2026 |
| 185.82.73[.]164 | January 2025 | March 2026 |
| 185.82.73[.]165 | January 2025 | March 2026 |
| 185.82.73[.]167 | January 2025 | March 2026 |
| 185.82.73[.]168 | January 2025 | March 2026 |
| 185.82.73[.]170 | January 2025 | March 2026 |
| 185.82.73[.]171 | January 2025 | March 2026 |
---
Affected Systems
- Rockwell Automation/Allen-Bradley PLCs (e.g., CompactLogix, Micro850)
- Potentially other branded PLCs, including Siemens S7 devices
---
Conclusion
The exploitation of PLCs by Iranian-affiliated APT actors underscores the growing threat to U.S. critical infrastructure. Organizations must act swiftly to secure OT devices, monitor for IOCs, and implement robust cybersecurity measures to mitigate risks. Failure to do so could result in operational disruptions, financial losses, and compromised safety.
For further guidance, review Rockwell Automation’s security advisories and consult the authoring agencies for support. Stay vigilant and prioritize the security of OT systems to safeguard against evolving cyber threats.
---
References
[^1]: CISA. "[Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure](https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a)". Retrieved 2025-01-24.
[^2]: Rockwell Automation. "[PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers](https://www.rockwellautomation.com/en-fi/trust-center/security-advisories/advisory.PN1550.html)". Retrieved 2025-01-24.
[^3]: MITRE. "[MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/versions/v18/matrices/enterprise/)". Retrieved 2025-01-24.
[^4]: CISA. "[Iran Threat Overview and Advisories](https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran)". Retrieved 2025-01-24.